CVE-2026-40348
Received Received - Intake
SSRF in Movary Server-URL-Verify Allows Internal Network Reconnaissance

Publication date: 2026-04-18

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can trigger server-side requests to arbitrary internal targets through `POST /settings/jellyfin/server-url-verify`. The endpoint accepts a user-controlled URL, appends `/system/info/public`, and sends a server-side HTTP request with Guzzle. Because there is no restriction on internal hosts, loopback addresses, or private network ranges, this can be abused for SSRF and internal network probing. Any ordinary authenticated user can use this endpoint to make the server connect to arbitrary internal targets and distinguish between different network states. This enables SSRF-based internal reconnaissance, including host discovery, port-state probing, and service fingerprinting. In certain deployments, it may also be usable to reach internal administrative services or cloud metadata endpoints that are not directly accessible from the outside. Version 0.71.1 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-18
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40348
EUVD
EUVD-2026-23617
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
leepeuker movary to 0.71.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by monitoring and analyzing requests to the endpoint POST /settings/jellyfin/server-url-verify in the Movary application prior to version 0.71.1.

Since the vulnerability involves server-side requests to arbitrary internal targets triggered by user-controlled URLs, detection can involve checking for unusual or unexpected URLs being sent in POST requests to this endpoint.

Commands to detect exploitation attempts could include inspecting web server logs or using network monitoring tools to identify POST requests to /settings/jellyfin/server-url-verify with suspicious URL parameters.

  • Use grep or similar tools to search web server logs for POST requests to the vulnerable endpoint, for example: grep 'POST /settings/jellyfin/server-url-verify' /var/log/nginx/access.log
  • Use curl or similar tools to test the endpoint manually by sending POST requests with controlled URLs to see if the server makes outbound requests.
  • Monitor outbound HTTP requests from the server to detect unexpected connections to internal IP addresses or metadata endpoints.
Compliance Impact

The vulnerability allows an authenticated user to perform server-side request forgery (SSRF) to internal network targets, potentially accessing internal administrative services or cloud metadata endpoints. This could lead to unauthorized internal reconnaissance and data exposure.

Such unauthorized access and potential data exposure may impact compliance with standards like GDPR and HIPAA, which require protection of sensitive data and internal systems from unauthorized access.

However, the provided information does not explicitly state the direct effects on compliance with these regulations.

Executive Summary

This vulnerability exists in Movary, a self-hosted web app for tracking and rating movies, prior to version 0.71.1. An ordinary authenticated user can exploit the endpoint POST /settings/jellyfin/server-url-verify by providing a user-controlled URL. The server appends /system/info/public to this URL and makes a server-side HTTP request without restricting internal hosts, loopback addresses, or private network ranges.

Because of this lack of restriction, the vulnerability allows Server-Side Request Forgery (SSRF) attacks, enabling an attacker to make the server connect to arbitrary internal targets. This can be used for internal network reconnaissance such as discovering hosts, probing port states, and fingerprinting services.

In some deployments, this may also allow access to internal administrative services or cloud metadata endpoints that are not accessible externally. The issue was fixed in version 0.71.1.

Impact Analysis

This vulnerability can impact you by allowing an attacker with ordinary authenticated access to perform SSRF attacks through the vulnerable endpoint.

  • Internal network reconnaissance, including host discovery.
  • Port-state probing to identify open or closed ports.
  • Service fingerprinting to gather information about internal services.
  • Potential unauthorized access to internal administrative services or cloud metadata endpoints that should not be externally accessible.
Mitigation Strategies

Upgrade Movary to version 0.71.1 or later, as this version fixes the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40348. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart